Abstract: Additional workloads are assigned among servers in a power-efficient manner. For each of a plurality of servers, a stored power efficiency/capacity utilization relationship is accessed, current component power consumption values are obtained, and a current power consumption efficiency is calculated. An amount of capacity utilization necessary to perform an additional workload is obtained, and a predicted power consumption efficiency is determined for each server. The predicted efficiency is determined using the current power consumption efficiency of the server and the stored relationship. The workload is then assigned to the server that would have the greatest improvement in power consumption efficiency.

Abstract: Methods and systems of identifying and remediating at-risk resources in a computing environment are provided. A method includes periodically determining respective infrastructure topologies of a computing environment that changes over time, wherein the determining is performed by a computer system communicating with the computing environment. The method also includes: identifying, by the computer system, an intrusion event in the computing environment; determining, by the computer system, at-risk resources in the computing environment based on the determined intrusion event and a corresponding one of the infrastructure topologies; and performing, by the computer system, remediation action for the at-risk resources.

Abstract: A CPU package includes an encryption and decryption module disposed in a communication path between an instruction path of a processor core and a data register that is externally accessible through a debug port, and a key store accessible to the module. The module is configured to encrypt and store data in the data register for each of a plurality of processes being handled in the instruction path, wherein data owned by each process is encrypted and decrypted by the module using an encryption key assigned to the process. The key store is configured to store the encryption key assigned to each of a plurality of processes, wherein the key store is inaccessible outside the CPU package. The data is only decrypted for a requesting process having a process identifier that matches the process identifier stored in the processor data structure along with the requested data.

Abstract: An apparatus includes one or more processor core, trusted key store, memory controller, and a memory module. The memory controller includes an encryption/decryption module that encrypts data being stored to the memory module for a guest OS being executed by the processor core(s) and that decrypts data being read from the memory module for the guest OS. Data owned by the guest OS is encrypted and decrypted by the encryption/decryption module using an encryption key stored by the trusted key store in association with the guest OS. A method encrypts data owned by the guest OS using the encryption key assigned to the guest OS and stores the encrypted data on a memory module, wherein the encrypted data is stored in association with the process identifier of the guest OS, and decrypts the encrypted data using the guest OS encryption key and provides the decrypted data to the guest OS.

Abstract: For each of a plurality of servers, a method includes obtaining current component power consumption values and calculating a current power consumption efficiency. The method further includes determining, for each of the plurality of servers, the current power consumption efficiency and an associated capacity utilization before and during performance of multiple instances of an identified workload. Then, for each server, the method determines a curve of power consumption efficiency as a function of capacity utilization that is representative of the performance of the plurality of instances of the identified workload. Embodiments of the method may then use the curve of power consumption efficiency curve in order to manage the power consumption efficiency of the plurality of servers. For example, the method may assign an additional workload to the server that is identified as having the greatest predicted power consumption efficiency.

Abstract: At power on of a computing device, a baseboard management controller (BMC) of the computing device executes, a first-stage bootloader program to download a second-stage bootloader program from a first server. The BMC executes the second-stage bootloader program to download third-stage firmware of the BMC from a second server. The BMC executes the third-stage firmware to download firmware of a primary processing subsystem of the computing device from a third server, and to start the primary processing subsystem by causing the primary processing subsystem to execute the firmware of the primary processing subsystem.

Abstract: A computer-implemented method includes receiving, by a computing device within a networking environment, a workload for execution within the networking environment; initiating, by the computing device, transfers of the workload to a plurality of network elements within the cloud networking environment; providing, by the computing device, tracking information of the workload as the workload traverses through the plurality of network elements; and storing or outputting, by the computing device, the tracking information regarding of the workload.

Abstract: A method includes: deploying at least one shadow system in association with each of one or more components of a network environment; periodically recording a state map of each active component of the network environment and a corresponding state map of the shadow system(s) associated therewith; periodically comparing the recorded state map of each active component with the corresponding recorded state map of the shadow system(s) associated therewith; determining whether a deviation exists with respect to the recorded state map of each active component and the corresponding recorded state map of the shadow system(s) associated therewith; determining whether the deviation is greater than a predetermined deviation threshold; and declaring a security breach regarding the active component(s) for which the deviation was determined to be greater than the predetermined deviation threshold. Corresponding systems and computer program products are also disclosed.

Abstract: An apparatus includes one or more processor core, trusted key store, memory controller, and a memory module. The memory controller includes an encryption/decryption module that encrypts data being stored to the memory module for a guest OS being executed by the processor core(s) and that decrypts data being read from the memory module for the guest OS. Data owned by the guest OS is encrypted and decrypted by the encryption/decryption module using an encryption key stored by the trusted key store in association with the guest OS. A method encrypts data owned by the guest OS using the encryption key assigned to the guest OS and stores the encrypted data on a memory module, wherein the encrypted data is stored in association with the process identifier of the guest OS, and decrypts the encrypted data using the guest OS encryption key and provides the decrypted data to the guest OS.

Abstract: Additional workloads are assigned among servers in a power-efficient manner. For each of a plurality of servers, a stored power efficiency/capacity utilization relationship is accessed, current component power consumption values are obtained, and a current power consumption efficiency is calculated. An amount of capacity utilization necessary to perform an additional workload is obtained, and a predicted power consumption efficiency is determined for each server. The predicted efficiency is determined using the current power consumption efficiency of the server and the stored relationship. The workload is then assigned to the server that would have the greatest improvement in power consumption efficiency.

Abstract: Additional workloads are assigned among servers in a power-efficient manner. For each of a plurality of servers, a stored power efficiency/capacity utilization relationship is accessed, current component power consumption values are obtained, and a current power consumption efficiency is calculated. An amount of capacity utilization necessary to perform an additional workload is obtained, and a predicted power consumption efficiency is determined for each server. The predicted efficiency is determined using the current power consumption efficiency of the server and the stored relationship. The workload is then assigned to the server identified as having the greatest predicted power consumption efficiency. Alternatively, the workload may be assigned to the server identified as having the greatest improvement in power consumption efficiency.

Abstract: A CPU package includes an encryption and decryption module disposed in a communication path between an instruction path of a processor core and a data register that is externally accessible through a debug port, and a key store accessible to the module. The module is configured to encrypt and store data in the data register for each of a plurality of processes being handled in the instruction path, wherein data owned by each process is encrypted and decrypted by the module using an encryption key assigned to the process. The key store is configured to store the encryption key assigned to each of a plurality of processes, wherein the key store is inaccessible outside the CPU package. The data is only decrypted for a requesting process having a process identifier that matches the process identifier stored in the processor data structure along with the requested data.

Abstract: At power on of a computing device, a baseboard management controller (BMC) of the computing device executes, a first-stage bootloader program to download a second-stage bootloader program from a first server. The BMC executes the second-stage bootloader program to download third-stage firmware of the BMC from a second server. The BMC executes the third-stage firmware to download firmware of a primary processing subsystem of the computing device from a third server, and to start the primary processing subsystem by causing the primary processing subsystem to execute the firmware of the primary processing subsystem.

Abstract: A computer program embodied on a tangible computer readable medium includes computer code for identifying a stored configuration of a system, computer code for determining whether the stored configuration of the system includes digital signatures of each of a plurality of parties, and computer code for conditionally implementing a current configuration of the system, based on the determining.

Abstract: A selected guest key for making configuration changes to a computing device in a current use period of the computing device by an end user to which the selected guest key has been provided is activated. The end user presenting the selected guest key when remotely logging onto the computing device from a remote client computing device is authenticated. Responsive to authentication of the end user, the end user is permitted to make the configuration changes to the computing device via communications from the remote client computing device that are encrypted or signed with the selected guest key. Upon expiration of the current use period, the selected guest key is deactivated, and a new selected guest key for making configuration changes in another current use period by a different end user to which the new selected guest key has been provided can be activated.

Abstract: A method includes: deploying at least one shadow system in association with each of one or more components of a network environment; periodically recording a state map of each active component of the network environment and a corresponding state map of the shadow system(S) associated therewith; periodically comparing the recorded state map of each active component with the corresponding recorded state map of the shadow system(s) associated therewith; determining whether a deviation exists with respect to the recorded state map of each active component and the corresponding recorded state map of the shadow system(s) associated therewith; determining whether the deviation is greater than a predetermined deviation threshold; and declaring a security breach regarding the active component(s) for which the deviation was determined to be greater than the predetermined deviation threshold. Corresponding systems and computer program products are also disclosed.

Abstract: A method includes: detecting a potential security breach associated with at least one component of a network environment; in response to detecting the potential security breach, determining a restorable state of the at least one component, wherein the restorable state is a state prior to the potential security breach; restoring the at least one component to the restorable state; and resuming operation of the at least one component of the network. Corresponding systems and computer program products are also disclosed.

Abstract: Workload distribution based on serviceability includes: generating, for each of a plurality of computing systems, a metric representing serviceability of the computing system for which the metric is generated; and distributing workload among said plurality of computing systems in dependence upon the metrics.

Abstract: A computer-implemented method includes receiving, by a computing device within a networking environment, a workload for execution within the networking environment; initiating, by the computing device, transfers of the workload to a plurality of network elements within the cloud networking environment; providing, by the computing device, tracking information of the workload as the workload traverses through the plurality of network elements; and storing or outputting, by the computing device, the tracking information regarding of the workload.

Abstract: Methods and systems of identifying and remediating at-risk resources in a computing environment are provided. A method includes periodically determining respective infrastructure topologies of a computing environment that changes over time, wherein the determining is performed by a computer system communicating with the computing environment. The method also includes: identifying, by the computer system, an intrusion event in the computing environment; determining, by the computer system, at-risk resources in the computing environment based on the determined intrusion event and a corresponding one of the infrastructure topologies; and performing, by the computer system, remediation action for the at-risk resources.